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Abstract. In these short notes, we will show the following. Let F q be a finite 
field and let E/F q be an elliptic curve. Let S r be the rth summation/Semaev 
polynomial for E. 

• Under an assumption, we show that it is NP-complete to check if S r 
for some large r evaluates to zero on some input. Unconditionally, we 
prove a similar result for summation polynomials over singular curves. 
This suggests limitations in the usage of summation polynomials in for 
example algorithms to solve the elliptic curve discrete logarithm problem. 

• Assume that q is a power of 2. We show that the Weil descent to F 2 of 
S 3 for ordinary curves in general has first fall degree 2, which is much 
lower than expected. The reason is the existence of a group morphism 
to F 2 which gives a linear polynomial after Weil descent. We want to 
raise awareness of its existence and raise doubt on certain Grobner basis 
heuristics which claim that the first fall degree is close to the degree 
of regularity. Furthermore, this morphism can be used to speed up the 
relation generation to solve the elliptic curve discrete logarithm problem. 


1. Introduction 

Let F 9 be a finite field of cardinality q and let E/F q be an elliptic curve. Let 
P G E(F q ) be a rational point and let Q G (P). The elliptic curve discrete logarithm 
problem (ECDLP for short) is to find an integer m such that mP = Q. The 
apparent hardness of this problem is of great importance in cryptography as it 
forms the backbone of the security of various elliptic curve-based cryptographic 
primitives such as in the Diffie-Hellman key exchange protocol. 

Various attacks on the ECDLP exist. For certain types of curves, fast algorithms 
exist (Silverman, 1121 XI.6]), but for generic elliptic curves, no sub-exponential 
algorithm is known. 

Motivated by the sub-exponential index calculus attack for the discrete logarithm 
problem in finite fields, attempts were made to mimic such attacks for elliptic 
curves. In general, such attacks on ECDLP focus on the generation of relations. 
When enough relations have been obtained, one can solve the discrete logarithm 
using linear algebra. Let E/F q be an elliptic curve given in Weierstrass model and 
let x : E(F q ) \ {0} —> F q be the ^’-coordinate map. For every integer r G Z> 3 , 
one can define the 7'tli summation/Semaev polynomial S r G F 9 [Xo,..., X r _i] for 
E. This polynomial has the following property. Let Xq, ■ ■ ■ ,2V-i G F g . Then one 
has S r (x o, ... ,x r -i) = 0 if and only if there are Pi G E(F q ) with x(Pi ) = Xi and 
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P 0 + ... + P r -1 = 0 ('Proposition 12.11) . Such summation polynomials have been 
used to obtain the required relations between points on an elliptic curve (see for 
example Diem 0 )- In articles such as 0 , 0 , 0 and [5] people suggest and try 
to work with summation polynomials where r is large and they often handle them 
using symmetric properties of these polynomials. In [4], the corresponding authors, 
for example, compute the 8 th summation polynomials. 

The goal of this article is twofold. First, we want to show the limitations of 
the summation polynomial. Under the assumption that one can construct elliptic 
curves over finite fields together with a point of large order, we show that it is NP- 
complete to check that the r-th summation polynomial evaluates to zero on some 
input for large r ('Theorem 13.51 1. Furthermore, we define summation polynomials 
for singular curves (see Section [2J . We unconditionally prove a similar result for 
summation polynomials coming from singular curves f Theorem I3.5t ih We prove 
these statements by reducing 3-SAT to the subsets sum problem and then to the 
problem concerning summation polynomials. We remark that these results do not 
imply that ECDLP is NP-complete (Remark 13.71) . 

Second, let F = F 2 « and let E/F be an elliptic curve given by Y 2 +aiXY + 03 !^ = 
X 3 + CI 2 X 2 + CL 4 X + ae such that ai ^ 0. Petit and Quisquater in [9] suggest 
that the degree of regularity , an important parameter in the complexity analysis 
of Grobner basis calculations, of specific Weil descent systems coming from the 
ECDLP for E is close to the first fall degree of such a system. This assumption 
allows the authors to heuristically obtain sub-exponential algorithms for ECDLP. 
Their heuristic assumption is largely motivated by a similar and widely-believed 
conjecture concerning a Weil descent system arising from a univariate polynomial. 
Besides, they performed some experiments with small parameters (n < 17) for Weil 
descent systems from the third summation polynomial to show that the degree of 
regularity in these cases is close to the bound on the first fall degree they give. 
In this paper, we explicitly show that the first fall degree in this case in general 
is 2 (Corollary 14.111 and Remark |4.12D . The reason for this unexpectedly low first 
fall degree is the existence of a surjective morphism which factors through taking 
^-coordinates: 


E( F) -aF 2 



On the other hand, we performed further experiments to investigate the first 
fall degree assumption for n upto 40. Our results indicate that contrary to the 
assumption, the degree of regularity seems to grow as n increases. This raises 
doubts to the heuristic assumption, and consequently, the heuristic sub-exponential 
complexity estimate for the ECDLP in [9], 

Next, we point out that even though the trace morphism is known, as far as we 
are aware, it has not been utilized in ECDLP computations. Indeed, this morphism 
can be used to speed up Grobner bases calculations to solve ECDLP (Remark ld.SD . 

Finally, we will comment on the recent preprints by Sernaev m and Karabina 
[ 6 ] based on the results of this article. 

The remainder of this paper is organized as follows. In Section 2, we review the 
definition and properties of summation polynomials. Section 3 is dedicated to our 
first main result, namely, the NP-completeness of the evaluation of a summation 
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polynomial on a given input. In Section 4, we describe the trace morphism which 
leads us to determine the first fall degree of the Weil descent system arising from the 
third summation polynomial for an elliptic curve over a finite field of characteristic 
2. Finally, we wrap up the paper with some experimental results on the degree of 
regularity of such systems and we discuss the results of Semaev |10] and Karabina 
0 . 


2. Summation polynomials 

In this section, we will define summation polynomials for a general elliptic curve 
in Weierstrass form. 

Let F be a held and let A = ( 01 , 02 , 03 , 04 , 06 ) £ F 5 . Set 

62 =a 4 + 4o 2 , 

64 =0103 T 2o 4 , 
be =03 + 4a6, 

&8 =afae — 010304 + 0203 + 4a 2 06 — o 4 . 

We define 

Sa ,2 = -Yq — X 1 £ F[Xq, Xi\. 

We dehne the third summation polynomial to be the polynomial 6 ( 4,3 £ F[X 0 , Xi,X 2 ] 
of degree 4 by: 

Sa ,3 =(^o^i 2 + * 0*2 + x l x l) - 2 • ( x o x iX 2 + X 0 XfX 2 + XoXiXfi 

— b - 2 ■ (XoXiX 2 ) — 64 • (X 0 X 1 + XqX 2 + XiX 2 ) — bg • (Ao + X\ + X 2 ) — 

We will quite often write Sa instead of 6 , 4 , 3 . For r £ Z> 3 , we recursively dehne 
the rth summation polynomial by 

S A ,r = Res* (S A ,r-i(X o,.. .,X r _ 3 ,X),S At 3 (X r _ 2 ,X r _ 1 ,X)) £ F[X 0 ,... 

where res* denotes the resultant with respect to A'. 

We have the following proposition. 

Proposition 2.1. Let F be a field and let E/F be an elliptic curve given by Y 2 + 
aiA'F + 03 !^ = A ' 3 + a 2 A 2 + 04 X + 06 - Let r £ Z > 2 and let xq, ■ ■ ■, 2 V -1 £ F. 
Then there are Pq, ..., P r -i £ E(F) \ {0} with x(Pi) = Xi (i = 0,..., r — 1) such 
that P 0 + ... + P r -i = 0 if and only */6( 0l , 02 , a3 , a4 , 0e ), r (a; 0 ,.. .,x r -i) = 0. 

Proof. From the dehnition of the resultant, one directly sees that it is enough to 
prove the case r = 2,3. See [2], especially Lemma 3.4. □ 

The next proposition describes two degenerate cases of the summation polyno¬ 
mial. 

Proposition 2 . 2 . Let F be a field. Let r £ Z> 2 . One has the following. 

i. Let Xq, ..., x r -i £ F \ {1}. Then there are Hi £ {—1,1} (i = 0,..., r — 1) 
such that Xq° ■ ■ ■ x r f ~ 1 1 — 1 if and only if 

*^(l, 0 , 0 , 0 , 0 ),r(*^o /{xq 1) , ■ • • , X r —\/[x r —1 1) ) 0. 
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ii. Let xo , • • •, x r -i G F \ {0}. Then there are ni £ { — 1,1} (i = 0 ,...,r — 1) 
such that noXo + ... + n r -iX r -± = 0 if and only if 

*S'(0,0,0,0,0),r(l/ a; 0’ ■ ■ ■ > l/ x r —l) = 0- 

Proof. By properties of the resultant, it is enough to prove the proposition for 
r = 2,3. The case r = 2 is an easy calculation. 

i. Assume r = 3. There are n l as above if and only if 

0 =(xqX\X 2 - 1) • (Xq l X\X2 — 1) • {x 0 Xf 1 X2 — 1) • {x^XiXf 1 - 1) 

= {-X 0 XiX2)~ l ■ {XiX 2 - X 0 )(x 0 X2 - Xi){-XqXi + X 2 ){x 0 X\X 2 ~ 1 ). 


A calculation shows that 
c ( X 0 Xi X 2 \ _ 

(!,0,0,0,0) ^ {XQ _ 1)2 » {xi _ 1)2 . {X2 _ 1)2 J ~ 

((xo - 1)(X! - l)(x 2 - l)) -4 • (XiX 2 - x 0 )(x 0 x 2 - Xi)(-X 0 Xi + X 2 )(x 0 X 1 X 2 ~ 1). 
Hence the result follows. 

ii. The proof is similar to the proof of i, because one has 


5 (o,o,o,o,o) 


1 1 1 


Xn Xt 


( X 0 X 1 X 2 ) 4 • ( —So + X\ - X2){—X 0 + XI + X2)(x 0 + X\ 


x 2 ){x 0 + Xi + x 2 ). 


□ 


Remark 2.3. The resemblance between Proposition 12.II and Proposition 12.21 is no 
coincidence. 

Let F be a field. Consider the nodal curve E given by y 2 + xy — x 3 = 0 
(Weierstrass model (1,0,0, 0,0)). Let E ns (F) be the non-singular locus of E over 
F. We have an isomorphism: 

F* —kE„ s (F) 

1 i-a 0 

t^(t/(t~l) 2 ,t/(t-l) 3 ). 

The inverse is given by 0 1 and (x, y) i-A 1+x/y. See [12j Chapter III, Proposition 

2.5], 

For ii consider the cuspidal curve E given by y 2 = a; 3 . One has E(F) = F in 
this case. 

Finally, there is also the case of a nodal elliptic curve where the tangent line 
at the node is not rational. In this case, one has E{F) = ker(Normp// F ) where 
F'/F is a quadratic extension of F ([131 Theorem 2.31]). One should be able to 
use similar summation polynomials in this case. 


3. NP-completeness of summation polynomials 

We will now study NP-completeness properties of summation polynomials. Most 
results in this section were already known. See for example 

https://ellipticnews.wordpress.com/2011/08/04/hard-problems-of- 
algebraic-geometry-codes-by-qi-cheng/ 
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We would like to warn the reader that the above result does not imply that sum¬ 
mation polynomials are not helpful for solvingt the elliptic curve discrete logarithm 
problem (Remark 13.71) . 

We begin with the following problem. 

Problem 1 (Subset sum problem). Given a finite abelian group G , a subset S C G 
and g G G, determine if there is a subset T C S such that t = 9- 

We start with a known result, although the proof for m = 3 below might be new. 

Proposition 3.1. The subset sum problem for the following sets of groups is NP- 
complete: 

i. {Z}, {Z/nZ, n G Z>i}; 

ii. {(Z/mZ) n , n G Z>i} for m > 3. 

Proof. All problems are obviously in NP. 

i. This result for {Z} was shown in [7j. A proof can also be given as in ii, using 
some m-adic representation of integers. The result for {Z/nZ, n G Z>i} follows 
directly from the result for {Z}. 

ii. Fix to. We first look at another problem. We look for an r G Z>i, k G Z>o 
and vectors Ci,C 2 ,C 3 G (Z/mZ) r , d\,...,dk G (Z/mZ) r , t G (Z/mZ) r with the 
following properties: 

i. given a non-empty subset of C C { 01 , 02 , 03 }, there is a subset of D C 
{di,...,d k } such that J 2 c ec c + Sdeu d=t] 

ii. no subset of {g?i, ..., dk} sums to t. 

Suppose we have found a solution to the above problem. We will show how 
to reduce an instance of 3-SAT to the subset sum problem in (Z/mZ) n for some 
small n. Assume that the 3-SAT instance has variables x±,... ,x s , with negations 
Xi ,..., xj and that there are w clauses. An example of such a clause would be 
X\ Vx 2 VX 4 . We will now translate this to a subset sum problem in R = (Z/mZ) s x 
((Z/mZ) r ) w . We represent an element R as (ai,..., a s , 61 ,..., bf) = a i £ i + 

1 bj e 'j where G Z/mZ and bj G (Z/mZ) r and the e, and e' are the standard 
basis vectors. Set Co = 0 G {Z/mZ) r and set n(xi) = n(l if) = i. 

Let x be a variable or its negation. We define v x as follows. For j = 1,... ,t 
define a function r x (j) G {0,1, 2,3} as follows. If x appears in clause j for the first 
time at position r G {1,2,3} set r x (j) = r. If a; does not appear, set r x (j ) = 0. We 
set 

W 

Vx £ n(x) ^ ^ £ r x (j) £ j ^ R- 

j =1 

Furthermore, for j = 1,..., w and i = 1,..., k set 

hj,i — d-iSj £ R,. 

Finally, set 

s w 

w = J2 ei + J2 te 'r 
*=1 3 =1 

One easily obtains: the 3-SAT instance has a solution if and only if there is a subset 
of {v Xl ,...,v Xs , Vxr, ..., 1 %^} U {hj.i : j = 1,..., t, i = 1,..., k} summing to w. 
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It remains to show that we can find the required r, k, Ci, di and t. Assume first 
that m > 3. One can take r = 1, k = 2, ci = C 2 = C 3 = 1, di = cfe = 1 and t = 3. 
For to = 3, it is harder to solve the problem. Set r = 3, k = 5 and set 

Cl = (2,1,2), ca = (2,2,2), c 3 = (2,0,1), 
t= (2,0,1) 

and 

di = t — C\, d2 =t — C2, d^ = t — C\ — C2, C^4 = t — C\ — C3, d,5 = t — C2 — C3. 

One easily verifies that this works. 

□ 

Remark 3.2. The proof of Proposition 13.H i fails for to = 2. The subset sum 
problem over (F 2 ) n is easy: it is just linear algebra. 

Consider the following assumption. 

Assumption 3.3. Given a positive integer n, one can construct a finite field F 9 
of cardinality q and an elliptic curve E/F q together with a point P £ E(F q ) with 
ord(P) > n in polynomial time in log(n). 

Remark 3.4. In a non-deterministic way, one can randomly find a curve E/F q 
with ffE(F q ) prime and a non trivial point on this curve. One can do this since 
there are a lot of primes by the prime number theorem and one can count points 
on curves efficiently by Schoof’s algorithm. See [T] for more advanced methods on 
constructing elliptic curves with a prescribed number of points. 

We will now prove NP-completeness of summation polynomials. 

Theorem 3.5. The following hold. 

i. Assume that Assumvtion 1 3. A holds. The following problem is NP-complete: 
given F q be a finite field of cardinality q, E/F q an elliptic curve in Weier- 
strass form with coefficients A, r £ Z >3 an integer and Xi £ F q (i = 
0 ,...,r — l), determine if SA,r(xo,... ,x r -i) is zero. 

ii. Let p > 3 be a fixed prime. The following problem is NP-complete: given 
positive integers n, r, a finite field F p *> of cardinality p n , and ao,..., a r -1 £ 
F p n \ { 0 }, determine */<S(o,o,o,o,o),r(aoj • ■ ■, a r -i) is zero. 

Proof, i. First of all, notice that this problem is in NP: a witness consists of 
Hi £ {±1} and Pi £ E(F q ) with x(Pi) = Xi such that 'Y Ji n i P i = 0 (Proposition 

m- 

Suppose we are given a subset sum problem for the group Z. Say we need to 
find Ci £ { 0 , 1 } such that JA=i e i l ’i = w ■ Note that Xa=i e i‘ v i = w if an d only 
if JT —1 2 CiVi = 2 w. Hence the system is equivalent to solving for m £ {±1} the 
equation 

m m 

niVi = 2w — Vi = w'. 
i= 1 i= 1 

Use Assumption 13.31 to construct a finite field F g and a curve E/F q with a point P 
of order at least 1 + 2 Vi with Weierstrass coefficients A. Then the above holds 
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if and only if 

m 

riiViP = w'P. 
i =1 

Assume that w' fy 0. The later by Proposition 12.II is equivalent to 

SA,m+i(x(viP), ■. .,x(v m P),x(w'P)) = 0. 

If w' = 0, one can use Sa.™,- Hence the result follows from Proposition 13.11 . 

ii. The proof is very similar to the proof of i. The problem is in NP by Proposition 
12.21 Suppose we are given an instance of a subset sum problem over (F p ) m . After 
multiplying by 2 we reduce to the problem of checking if there are n ? ; € {±1} with 
say 

m 

Y riiVi = w' 

i—l 

with Vi ^ 0. 

Find an irreducible polynomial / over F p of degree m and construct a field 
F pm = F p [X]/(f) (one can do this since p is fixed, see [IT]). Identify F™ with 
F p m using a linear isomorphism. Assume that u/ fy 0. Then the last problem is 
equivalent to checking if S'(o,o,o,o,o),m+i(l/'t , i, ■ • •, 1/fy^, 1 /w' 2 ) evaluates to zero by 
Proposition 12.21 If w' = 0, then one can use a lower summation polynomial. Use 
Proposition (3Jji to finish the proof. □ 

Remark 3.6. The proof of Theorem I3.51 i fails for p = 2. For p = 2, one has 
S'(o i o,o,o,o),r-(ao; • ■ •, a r -i) is 0 if and only if ag + ... + a r -\ = 0 (Proposition 12.211 . 
Hence the problem is very easy. 

Remark 3.7. Theorem 13.51 shows that it is NP-complete to check if summation 
polynomials evaluate to zero. However, it does not suggest that ECDLP itself is a 
hard problem. In fact, ECDLP for curves with for example p points can be solved 
quickly ([12, Chapter XI, Proposition 6.5]), but the above proof shows that it is 
still NP-complete to evaluate the corresponding summation polynomials. 

4. Weil descent and first fall degrees 

In this section, we will study Weil descent systems coming from summation 
polynomials over a finite field of characteristic 2. In particular, we study the system 
coming from the third summation polynomial from an ordinary elliptic curve. Let 
us first define the procedure of Weil descent. 

4.1. Weil descent. Let p be a prime and n, r € Z>i. Let F p n be a field of 
cardinality p n . Consider 

Ri = F pn [X 1 ,...,X r ]/(Xf-Xi :i = l,...,r) 

and 

R 2 = F p [Xij,i = 1,... r, j = 1,..., n]/(Xfj - Afy,-, i = l,...,r, j = 1,..., n). 
Finally, set 

#3 = F p n [Xij,i = 1,... r, j = 1,..., n]/ (X?. -X tj , i = l,...,r, j = 1,..., n). 
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One has R\ = (F p n) Fpn and R 2 — (F p ) Fp as rings, by evaluating the X t and 
X 1: j at points of F p » respectively F p . There is a bijection between the ideals of R\ 
and the powerset of F p „, and similarly, a bijection between the ideals of R 2 and 
the powerset of F p r . 

Let oti,...,at n be a basis of F p >» over F p . This gives us an isomorphism over 
F p between F p r> and (F p ) n , and hence one between F p „ and (F p ) nr . This gives a 
bijection between the set of ideals of Ri and R 2 . We call this Weil descent. 

The correspondence in practice is given as follows. Let f £ R\. Set X, = 
TU X ^r Write 

n n n 

f 0 1 XijCXj , . . • , El X r jOlj) = £ R 3 

3—1 3 =1 ?= 1 

with [f]i £ R 2 . An ideal I C Ri is mapped to ([/]* : / £ I, i = 1,..., n) C R 2 . 
With Weil descent one can solve systems over F p n, by solving systems over F p . 
We make R\ into a Z [G] module, where G = Gal(F p n/F p ) = (Frob) by setting 

Frob(/) = f p . 

For f £ Ri we set 

n —1 

Tr Fpn/Fp (/) = E 9(f) = E ^ £ R '- 

i —0 

This defines a group morphism which extends the trace map Tr Fp „/ Fp : F p >» -A F p . 
Furthermore, we have Tr Fp „/ Fp (/) £ (/). Finally, for a £ F p n we have 

Tr Fp „/ Fp (/(a)) = Tr Fj; „/ Fp (/)(a). 

One has the following lemma. 


Lemma 4.1. Let f £ R\. Write 1 = c -i a i w ith Ci £ F p . Let c £ F p n. Then 
for i = 1,..., n one has 

n 

[Ti■ Fp „/ Fp (c/)] i = CiE Tl 'F p n/F p (caj)[/]j € R 2 . 

3 =1 

IfCj ± 0, then one has ([Tr Fj>n/Fp (c/)]i,..., [Tr Fpn/Fp (c/)] r ) = ([Tr Fpn/Fp (c/%). 
Proof. One has 

( n n \ n 

Y x i3 a L • • -,Y x ^3 = Y( ca M e Rs- 

i =1 i =1 / i=1 

Note that [/]? = [/]* £ R 2 . Taking traces gives us the following identity in R 3 : 

n n n 

Tr Fpn/Fp (c/)(E X ljaj ,...,Y x rj<*j) = E Ti ' f p"/ f P ( ca i)lf]i 


3= 1 


3 =1 


n / n 


= E K E Tr F P n/F p (ca i )[/] i 

i=i V *=1 y 

This gives the first result. The second result follows directly. 


Q,. 


□ 
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4.2. Weil descent in characteristic 2. We are interested in the Weil descent of 
systems coming from summation polynomials. 


Proposition 4.2. Let F = F 2 ™ be a finite field of cardinality 2 n . Let E/F be an 
elliptic curve given by Y 2 + aiXY + a^Y = X 3 + <Z 2 X 2 + a±X + a§. Assume that 
E is ordinary (a\ ^ 0). Then we have a surjective group morphism 


with kernel 2E(F). 


E(F) ->F 2 
0 H-0 


P >-ATr F / F2 


/ x{P) + a 2 \ 

\ ai J 


Proof. We will only prove that the map is a group morphism. Let Pi = ( Xi,yi ) £ 
E( F), i = 1,2. If one of the Pi is 0 or their sum is 0, the additivity of the map is 
clear. 

Otherwise the line L through Pi and P 2 (the tangent line to E if Pi = P 2 ) has 
an equation of the form 

L : y = Xx + v. 

Suppose P 3 = (X 3 , 3 / 3 ) is the third point of L HE. Then we have Pi + P 2 + P 3 = 0 
and the equation of E gives us Xi + x 2 + X 3 = A 2 + aqA + 02 - 
This gives 

Xi + a 2 x 2 + a 2 X 3 + a 2 _ ( A 
a\ + a 2 a 2 Vai 

Notice that Tr F2 „ /F2 ((^) 2 ) = Tr F2 „ /F2 (^). Thus we have 



Tr 


E 2 n /F2 


Xi + a 2 


Tr 


F 2 n/F2 


x 2 + a - 2 


Tr 


F 2 n/F 2 


X 3 + a 2 


= 0 . 


Therefore the additivity of the map follows. See 0 Chapter 7, Proposition 5.4] for 
a proof of the surjectivity of the map. □ 


From the above proposition, one sees for example that if P £ E(F 2 n ), then one 
has P e 2 E(F 2 2 n). 


Corollary 4.3. Let F = F 2 n be a finite field of cardinality 2 n . Let E/F be an 
elliptic curve given by Y 2 + aiXY + C 13 F = X 3 + a 2 X 2 + CI 4 X + ae- Assume that 
E is ordinary. Let Pi ,..., P m G E( F). Assume that ±Pi ± ... ± P m = 0. Then 
one has 


0 - Tl ' F / F 2 
i =1 


x(Pi) + a 2 


Proof. The proof follows directly from Proposition 14.21 


□ 


Lemma 4.4. Let F = F 2 n be a finite field of cardinality 2 n . Let r £ Z> 2 . Let E/F 
be an elliptic curve. Suppose that Q £ E( F), Pi £ E( F) \ E( F) with x(Pi) £ F 
(i = 1,. .. ,r) such that Q = Pi + ... + P r . Then one has 2Q = 0. 
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Proof. Let F' C F be the unique quadratic extension of F in F. Then one has 
Pi G E(F'). Let G = (a) = Gal(F'/F) of order 2. Note that G acts on P(F') by 
er((x : y : z)) = (cr( x) : a(y) : cr{z)). As x(Pi) G F, we conclude that x(a(Pi)) = 
a(x(Pi)) = x(Pi). Hence we obtain a(Pi) = ±P,;. As Pi fL -E’(F), we find er(Pi) = 
—Pi. Then we have: 

2 Q = Q + <x(Q) = Pi + • • • + Pr + cr(Pi) + ... + (j(P r ) 

= Pi - Pi + ... + P r - P r = 0 

as required. □ 


Remark 4 . 5 . Note that one always has P(F)[ 2 ] C E( F), by Galois invariance. 

Example 4 . 6 . Consider the elliptic curve defined by y 2 + xy = x 3 + l over F2. One 
has P(F 2 ) = Z/4Z and P(F 2 2) = Z/ 8 Z. There are no points in P(F 2 2) \P(F 2 ) 
with x-coordinate in F 2 . Hence sometimes there are no Q as in Lemma 14.41 In 
most cases one can find such Q with a decomposition. 


Proposition 4 . 7 . Let F = F 2 *> be a finite field of cardinality 2 ". Let E/F be 
an elliptic curve given by Y 2 + a\XY + a^Y = X 3 + a 2 A 2 + aiX + a q. Assume 
that E is ordinary. Let S(X 1 , X 2 , X 3 ) be the 3rd summation polynomial for E. Let 
P £ E{F)\E(F)[2\. Consider the ideal I = {S(X 1 ,X 2 ,x(P))) C F[Xi, X 2 ]/(X 1 2n - 
X\. X'f — X 2 ) = R. Then one has 


g — Tr F / F2 


X\ + A 2 + x(P) + a 2 


G I. 


Proof. Suppose (xi,x 2 ) G Z(I) where Xj G F. Then one lias Xj G F. By definition 
there are Pi G E( F) (i = 1,2) with x(Pi) = Xi such that Pi +P 2 + P = 0. Note that 
Pi ^ P(F) iff P 2 0 P(F). By Lemma T4.4I it follows that Pi,P 2 G P(F). Corollary 
14.31 gives 

f x(Pi) +x(P 2 ) +x(P) +a 2 \ n 

Trr -' F = l,- aj - ) = °- 

Hence we obtain g(xi,x 2 ) = 0. Hence we find Z(I) C Z(g). Since I is a radical 
ideal, by the Nullstellensatz we conclude g G I. □ 


Remark 4 . 8 . Proposition 14.71 does not directly generalize to any S m with m > 
3. Indeed, we cannot always apply Lemma 14.41 Consider the m-th summation 
polynomial, with m even. Let Q G E{ F) \ E( F) with x(Q) G F (such points exist 
if n > 3). Then one has P = P + Q — Q + ... + Q — Q. This shows that other 
decompositions exist. Similarly, for m odd one can construct such examples. 

Hence the relation of Proposition 14.71 is not always present in our ideal. But 
in applications, such as relation generation for the elliptic curve discrete logarithm 
problem, one can just add the equation from the start (Proposition 14.21) . Another 
option is to only look for relations in the kernel of the map E(F) —> F 2 in Propo¬ 
sition 14.21 

A more explicit version of Proposition 14.71 is the following. 

Proposition 4 . 9 . Let F = F 2 n be a finite field of cardinality 2 n . Let E/F be an 
elliptic curve given by Y 2 + a\XY + a%Y = X 3 + a 2 X 2 + a^X + a§. Assume that 
E is ordinary. Let S(X 1 , X 2 , X 3 ) be the 3rd summation polynomial for E. Let P G 
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P(F)\P(F)[2], SetT = S{X 1 ,X 2 ,x(P)) GF[X 1 ,X 2 ]/(Xf -X!,Xf 
Set b = a\(a\x{P) + 03 ) G F*. Then in R one has 


Tr F/F 2 (P/& 2 ) — Tr F/F 2 


X± + X 2 + x(P) + a 2 


X 2 ) = R. 


Proof. Set x = x(P). Note that 6/0, because ai / 0 (ordinary curve) and 
a\X + 03/0 (P is not 2-torsion). One has 

T/b' 1 = Px,xd + tx,X 2 + (|(X, + X 2 )f 

+ / {Xl + x 2) + b JE±h. 

bo, 1 b z 

Note that Tr F / F 2 ((^XiX 2) 2 + \X\X 2 ) = 0. Furthermore, one has 

x <23 dia: + 03 1 
6 ba\ ba± a 2 


This gives Tr F /p 2 ^(f(Ad + X 2 )) + -^(Xi + X 2 )j — Tr F / F2 ( Al Q t 2 A ' 2 ). Now it 
remains to show that 


( 1 ) 


Ti- f /f 2 


b 6 x + b$\ 

b 2 j 


Tl F 2 n/F 2 


x + a 2 \ 
a\ ) ‘ 


If both expressions are different, then from Proposition 14.71 it follows that 1 G / = 
(S(Xi,X 2 ,x(P))). By assumption, 2P / 0. We have a relation P — 2P + P = 0. 
From Proposition ^. II we obtain (x(2P), x(P )) C Z(I), contradicting that 1 £ I. □ 


Remark 4.10. One can prove Equation[l]as follows in a more computational way. 
Since P is a point of the curve, one has 


Tr 


f/f 2 


x 3 + a 2 x 2 + a^x + ag 
(aix + 03) 2 


= 0. 


One has 


b 6 x + & 8 
62 


x + a 2 


x 3 + a 2 x 2 + a^x + ae 
(aix + a 3 ) 2 


04 

T 



Note that the trace of 04/6 and a 2 / 6 2 are the same. Taking traces gives us the 
required identity. 


After Weil descent we finally obtain the main result of this section. 


Corollary 4.11. Let F = F 2 n be a finite field of cardinality 2 n . Let E/F be an 
elliptic curve given by Y 2 + a\XY + a 3 Y = X 3 + a 2 X 2 + 04 Al + ag. Assume that 
E is ordinary. Let S(X 1 , X 2 , X 3 ) be the 3rd summation polynomial for E. Let P G 
E(F) \ P(F)[2] and set T = S(X 3 ,X 2 , x(P)) G F[X l2 X 2 }/{Xf - X u Xf - X 2 ). 
Set b = a\{a\x{P) + a 3 ) G F*. Let ai ,...,a n be a basis of F over F 2 . Then one 
has in R 2 


X! Ti f/f 2 (p-) [ T]j - Tr F/F2 


( x(P) + a- 2 \ 

\ a? ) 


+ Tl 'F/F2 

1=i 



■(X lj+ X 2j ). 
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Proof. Write 1 = °i ai with Ci G F 2 . Let i be such that a ^ 0. Set h = 
x 1+X2 +x( p )+ a 2 _ By p roposition gTj] one has 

[Tl' F /F 2 (^/^ 2 )]i = [ Tl 'F/F 2 (^)]i- 
By Lemma 14.11 the left hand side is equal to 

Ci Tr F/F 2 (^-) [S]j- 

3 

Set d = Tt f /f 2 ^ ’ r ^ P ja +a2 ^ • By Lemma T4.II the right hand side is equal to 

c i ^ + 5Z Tr F/F 2 + = Ci ^ ^ Ti 'f/f 2 (Xlj + X 2 j) 

This gives the result. □ 

Remark 4.12. In [9] the following is written: “We have D reg > Df irst f a u. Ex¬ 
perimental and theoretical evidences have shown in various contexts that the two 
definitions often lead to very close numbers.” The above Corollary shows that this 
is not the case for 3rd summation polynomials. Let us explain. 

The right hand side of the equation of Corollarv l4.11l alwavs has degree 1, whereas 
the [T]j on the left hand side usually has degree 2. Hence it is likely that summing 
up certain polynomials of degree 2 gives a polynomial of degree 1 (in practice, this 
almost always happens). This, by definition of the first fall degree, shows that the 
first fall degree of the system given by S(Xi,X 2 , x(P)) after Weil descent is usually 
equal to 2. Hence the first fall degree will be much smaller than the upper bound 
5 in Proposition 1 from [9] for a system consisting of a 3rd summation polynomial. 
Furthermore, computations seem to suggest that the degree of regularity increases 
when n increases. Here, the degree of regularity refers to the largest degree reached 
during Grobner basis computations using algorithms such as F 4 or F 5 . 

The following table records the degree of regularity for the Weil descent system 
comprising the bivariate polynomial S(Xi, X 2 , x(P)) for a random elliptic curve 
E and a random point P on E over F 2 ". Following the formulation in [9), we 
include linear constraints on X\ and X 2 to restrict their values to be in a random 
subspace of F 2 n of dimension [n/2]. We performed our computations using the 
“GroebnerBasis()” function in the Magma computer Algebra System and the degree 
of regularity is read off from the Magma output as the largest step degree in which 
new polynomials were obtained in the step or the subsequent steps after setting the 
verbose to a nonzero value. Note that in all our computations, the first fall degree 
is 2 as expected. 

Here, the last fourth column in the table records the step at which the degree of 
regularity is first reached. 


n 

First fall degree 

Degree of regularity 

Step 

Memory 

12 

2 

3 

3 

11.1 MB 

16 

2 

3 

3 

11.1 MB 

17 

2 

4 

5 

15.3 MB 

20 

2 

4 

5 

30.2 MB 

30 

2 

4 

5 

324.8 MB 

40 

2 

> 5 

> 9 

> 38 GB 
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As the computations require more than 38 GB for n = 40, (they procedure was 
stopped because of lack of ram) we are not able to carry out more experiments 
for larger values of n. However, the behaviour of the step degrees and the drastic 
increase in memory suggest that the degree of regularity is 5 or more when n > 40. 
This in turn indicates that the degree of regularity follows an increasing pattern 
as n increases. This raises doubt to the evidence of Assumption 2 from the article 
[9]: the gap between the degree of regularity and the first fall degree might be 
dependent on n. 


5. Some recent developments 

In light of the recent articles written by Semaev m and Karabina [B], we would 
like to point out our reservations of their claims as a result of the consequences 
of this article. We will focus on the first article, since the second article is quite 
similar. 

In both articles, the authors claim that the degree of regularity of their systems 
is constant (in m it is constantly 4). We carried out the experiments of [ 1 ( 3 ] with 
n = 45, m = 2 and t = 2. The only difference with the experiments in Remark l4.12l 
is that the sub vector space constraining the variables is not random. We observed 
that the degree of regularity increased to 5. About 12 6GB of RAM was used for 
this experiment and we completely finished the computation. For the case n = 40, 
m = 2 and t = 2, the degree of regularity stayed at 4. Apparently, the choice of the 
specific vector space is a good one. We still believe that the degree of regularity 
will increase in all cases, and hence that the first fall degree assumption is very 
questionable. Furthermore, n = 25, m = 3 and t = 3 also seem to give degree of 
regularity 5. We were not able to finish this computation after using 111 GB of 
RAM. 

In an updated version of the article of m, another assumption about the growth 
of the degree of regularity has been added (according to this assumption, the degree 
of regularity grows slowly with certain parameters, just slow enough to obtain nice 
conclusions). When studying similar systems some time ago (including the splitting 
trick), we decided not to put up such a conjecture because we realised it would be 
very hard to verify (or falsify) this claim computationally. Furthermore, we could 
not come up with any reasoning which would support such heuristics. 

One of the problems with the first fall degree assumption is that it does not ‘see’ 
the number of variables. Let us give an extreme example in which we ‘prove’ P=NP 
using the first fall degree assumption. In fact, the reason we wrote the first part 
of this article is an example related to this one. In Section [3l we proved that it is 
NP-complete to check if a summation polynomial evaluates to zero or not. Let S m 
be the m-th summation polynomial for say an elliptic curve E over a finite field k of 
characteristic 2. Suppose we want to determine if S m evaluated at a ±,..., a m £ k is 
0. This is equivalent in checking if the folllowing ideal in k[X i,..., X m _ 3 ] contains 
1 by the splitting trick: 

S , 3(ai,a2,Xi) 

(^3; Ai > A 2 ) 

*^3 (^m—2 5 A m _4 > A m— 3 ) 

*$3(^ra— 1? 3 )• 
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We now perform Weil descent on the system to F 2 . The first and last equation 
are linear while the remaining ones are of the form Ss(x,y,a). Consequently, the 
first fall degree of this system is 2 (Corollary 14.111) . Under the first fall degree 
assumption, which says that the degree of regularity of such systems is bounded, 
we obtain a polynomial time algorithm (polynomial in the input) to solve the above 
problem. This seems highly unlikely. 

It is certainly a very interesting question to derive good heuristical or theoretical 
bounds on the degree of regularity for systems as in uni: if indeed the degree of 
regularity is small, this splitting trick would give a good algorithm. Unfortunately, 
it is not even clear to us how to make a good heuristical bound, let alone a theoretical 
bound. 
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